Wind River Support Network

HomeDefectsLIN1025-6578
Acknowledged

LIN1025-6578 : Security Advisory - linux - CVE-2025-68241

Created: Dec 16, 2025    Updated: Dec 18, 2025
Found In Version: 10.25.33.1
Severity: Standard
Applicable for: Wind River Linux LTS 25
Component/s: Kernel

Description

In the Linux kernel, the following vulnerability has been resolved:EOL][EOL]ipv4: route: Prevent rt_bind_exception() from rebinding stale fnhe[EOL][EOL]The sit driver's packet transmission path calls: sit_tunnel_xmit() ->[EOL]update_or_create_fnhe(), which lead to fnhe_remove_oldest() being called[EOL]to delete entries exceeding FNHE_RECLAIM_DEPTH+random.[EOL][EOL]The race window is between fnhe_remove_oldest() selecting fnheX for[EOL]deletion and the subsequent kfree_rcu(). During this time, the[EOL]concurrent path's __mkroute_output() -> find_exception() can fetch the[EOL]soon-to-be-deleted fnheX, and rt_bind_exception() then binds it with a[EOL]new dst using a dst_hold(). When the original fnheX is freed via RCU,[EOL]the dst reference remains permanently leaked.[EOL][EOL]CPU 0                             CPU 1[EOL]__mkroute_output()[EOL]  find_exception() [fnheX][EOL]                                  update_or_create_fnhe()[EOL]                                    fnhe_remove_oldest() [fnheX][EOL]  rt_bind_exception() [bind dst][EOL]                                  RCU callback [fnheX freed, dst leak][EOL][EOL]This issue manifests as a device reference count leak and a warning in[EOL]dmesg when unregistering the net device:[EOL][EOL]  unregister_netdevice: waiting for sitX to become free. Usage count = N[EOL][EOL]Ido Schimmel provided the simple test validation method [1].[EOL][EOL]The fix clears 'oldest->fnhe_daddr' before calling fnhe_flush_routes().[EOL]Since rt_bind_exception() checks this field, setting it to zero prevents[EOL]the stale fnhe from being reused and bound to a new dst just before it[EOL]is freed.[EOL][EOL][1][EOL]ip netns add ns1[EOL]ip -n ns1 link set dev lo up[EOL]ip -n ns1 address add 192.0.2.1/32 dev lo[EOL]ip -n ns1 link add name dummy1 up type dummy[EOL]ip -n ns1 route add 192.0.2.2/32 dev dummy1[EOL]ip -n ns1 link add name gretap1 up arp off type gretap     local 192.0.2.1 remote 192.0.2.2[EOL]ip -n ns1 route add 198.51.0.0/16 dev gretap1[EOL]taskset -c 0 ip netns exec ns1 mausezahn gretap1     -A 198.51.100.1 -B 198.51.0.0/16 -t udp -p 1000 -c 0 -q &[EOL]taskset -c 2 ip netns exec ns1 mausezahn gretap1     -A 198.51.100.1 -B 198.51.0.0/16 -t udp -p 1000 -c 0 -q &[EOL]sleep 10[EOL]ip netns pids ns1  ( xargs kill[EOL)ip netns del ns1
Live chat
Online
  • Linkedin
  • Facebook
  • Twitter
  • Youtube